On 7/17/19 8:00 AM, Kevin Kaminski wrote:
Hello đ
I am writing the first time to this list so I hope I am doing everything correctly.
But hereâs what I need help with:
Fits of all, we are using Keycloak version 5.0.0. in our company.
I am trying a little bit around with the âAttribute Importerâ in Keycloak, because I want
to receive all SAML Attributes that get delivered via the Identity Providers SAML
response, listed in one and the same attribute. And that works actually after I
configured the Mapper Type âAttribute Importerâ. I can see in Keycloak in my user account
> Attributes that all of the Attributes are imported (such as groups, name, first name,
mail address) and the will be listed in one grouped attribute (not sure if there is
another official name for it)
The way I configured the mapper is:
* Name: saml_attributes
* Mapper Typ: Attribute Importer
* Attribute Name: empty
* Friendly Name: empty
* User Attribute Name: saml_attributes
Now I configured a customer IDP (itâs called JOSSO) and I did the exact same
configuration of the Attribute Importer. However, Keycloak could not import all SAML
attributes.
After investigation I could see the structure of the SAML response is different between
both IDPs:
The one that works (ADFS) looks like this:
<AttributeStatement>
<Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailadd...
<AttributeValue>kevin.kaminski@movingimage.com</AttributeValue<mailto:kevin.kaminski@movingimage.com%3c/AttributeValue>>
The one the importer doesnât work:
<saml:Attribute FriendlyName="MA_EMAIL"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
Name="MA_EMAIL">
<saml:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
Did you forget to paste the entire xml element into the email because
this is a not a complete AttributeValue element?
Is it possible that âsaml:â is the reason Keycloak canât properly
import it?
Only if the "saml" namespace tag was not declared earlier via
xmlns:saml= but then you should have gotten an xml parsing error logged.
My suggestion would be to check the server log for errors and/or paste
more complete xml from the assertion.
Note: In general the âAttribute Importerâ works if I configure dedicated mapper for mail,
name, etc. I specify these mappers with a Friendly Name.
But this âgroupedâ import, doesnât work.
I hope I could make clear what my problem is and I hope that someone is able to help.
--
John Dennis